VULNERABILITY ALERT ------------------- Vulnerability: COSIGN-VULN-2011-001 Application: cosign Affected Versions: 3.0.0 through 3.1.2 Vulnerability Type: Authentication bypass Severity: Moderate Attack: Proof-of-concept Software Website: http://weblogin.org/ Contact: security@weblogin.org Dates: 2011-11-02 (private disclose) 2011-11-16 (public disclosure) OVERVIEW -------- Unanchored regular expression pattern matching in cosignd could allow an attacker to log in as an arbitrary user. The attacker must guess the value the weblogin administrators have selected for the cgi certificate's Common Name. The attacker additionally requires a specially crafted certificate signed by a Certificate Authority (CA) the weblogin administrators have chosen to use with cosignd. BACKGROUND ---------- cosign is a web single-sign-on system. Written at the University of Michigan, cosign is an open source software project and a part of the National Science Foundation Middleware Initiative (NMI) EDIT software release. cosign is deployed extensively at the University of Michigan and at educational institutions and other organizations around the world. cosign consists of two primary components: the central weblogin server and cosign-protected web servers. The central weblogin server consists of a cosign CGI (logs users in and out), the cosign daemon (manages information about the state of the session for each authenticated user), and various administrative scripts. Each cosign-protected web server runs a filter which communicates with the daemon via a text-based protocol to assure that users who access protected areas of the web site are authenticated. Users must authenticate to CGI on the central weblogin server before they are permitted access to a protected service. Both the CGI as well as the filter on each cosign-protected web server set their own cookie in users' browsers for the purpose of uniquely identifying the user's session. These cookie values are random strings. Additional background details are available at http://weblogin.org/overview.html TECHNICAL DETAILS ----------------- The cosign daemon (cosignd) uses regular expressions to determine whether a client should be allowed to connect to the server. The client presents a certificate when negotiating TLS, and cosignd grants or denies access based on whether the certificate's Common Name (CN) matches a regular expression in the cosign configuration file. In the cosign.conf, the administrator also designates one or more CNs "cgi" clients--that is, clients permitted to send LOGIN, LOGOUT and REGISTER commands. In cosign 3.0.0 through 3.1.2, cosignd uses unanchored pattern matching when deciding what level of access a connected client has. If an attacker is able to guess a CN the weblogin administrators have designated a "cgi", AND the attacker can obtain a certificate with a CN containing the cgi CN as a substring, AND that certificate is signed by a CA considered valid by cosignd, the attacker may send arbitrary commands to cosignd. Although the attack requires the attacker to guess values and obtain a specially crafted certificate considered valid by cosignd, organizations are encouraged to update to cosign 3.1.4 or to add anchors to their cosign.conf's "cgi" lines. (See ADDITIONAL INFORMATION below.) Organizations permitting clients to authenticate with certificates issued by public CAs are most exposed, as those organizations have no control over issued certificates. Extra caution is merited in light of recent public certificate authority compromises. Organizations maintaining an internal CA to control access to cosignd are much less exposed, given their local control over issued certificates. NOTE: The information above is intended as a description of the vulnerability and not as a test for use in determining whether a weblogin server is vulnerable. The attack described above may require tweaking in order to be used against an actual cosign installation. ADDITIONAL INFORMATION ---------------------- cosign 3.1.4 and the patch available at http://weblogin.org/ fix the vulnerability by implicitly anchoring all regular expressions used by cosignd. The cosign development team has also audited all use of regular expressions in the cosign source code, making sure implicit anchoring is the standard. Administrators may also protect their deployments by including explicit regular expression anchors in the "cgi" patterns in cosign.conf. For example, cgi weblogin-cgi should be modified to include the regular expression anchors (^ and $) to ensure a whole string match: cgi ^weblogin-cgi$ After editing the cosign.conf to add the anchors, weblogin administrators should restart cosignd. Following the edit and restart, cosignd is no longer exposed. Note that the anchors are not required after installing cosign 3.1.4. Organizations that have questions regarding cosign, or that need assistance with upgrading cosign to a non-vulnerable version or back-porting the patch to an older version, can contact the cosign development team at cosign@umich.edu. TIMELINE -------- 2011-11-02 Private disclosure to known cosign deployments, to permit them to address the vulnerability on their weblogin servers before public disclosure of the vulnerability. 2011-11-16 Public disclosure. Release of cosign 3.1.3. 2011-11-18 Release of cosign 3.1.4 to correct broken build of 3.1.3. ACKNOWLEDGMENTS --------------- Thanks to Phil Pishioneri of the Pennsylvania State University, who reported a pattern matching bug which later led to discovery of the flaw. Thanks to Marcus Watts of the University of Michigan, who reported the crashing bug in 3.1.3 caused by incomplete patching.